
Summary
This threat detection rule monitors failed number challenge attempts during Okta Multi-Factor Authentication (MFA) processes. When a user fails to respond correctly to a number challenge, it may indicate a malicious attempt to gain unauthorized access or exploit vulnerabilities in the authentication mechanism. The rule utilizes Splunk to aggregate authentication data by filtering for specific event type entries indicating failure due to invalid challenge responses. An observed increase in these failures can signify ongoing attempts at credential stuffing or forced authentication by adversaries attempting to access user accounts. This rule is particularly relevant for identifying potential attacks associated with the threat actor collective known as 'Scattered Spider', which has been known to engage in tactics such as forced authentication and using valid accounts for initial access. By closely monitoring and logging these events, organizations can better safeguard against unauthorized access and potential data breaches.
Categories
- Identity Management
- Cloud
- Application
Data Sources
- User Account
- Application Log
ATT&CK Techniques
- T1187
- T1078
Created: 2024-02-09